Award-winning news, views, and insight from the ESET security community

Business Email Compromise scammer sentenced to 41 months in prison

A US judge has sentenced a Nigerian man to three years and five months in a federal prison after he pleaded guilty to taking part in a business email compromise scam that targeted organisations around the world.

A US judge has sentenced a Nigerian man to three years and five months in a federal prison after he pleaded guilty to taking part in a business email compromise scam that targeted organisations around the world.

A US judge has sentenced a Nigerian man to three years and five months in a federal prison after he pleaded guilty to taking part in a business email compromise (BEC) scam that targeted organisations around the world.

David Chukwuneke Adindu tricked thousands of businesses between 2014 and 2016 into wiring a total of US $25 million into his overseas bank accounts.

The scam was not the result of a sophisticated hacking attack, or a devious piece of malware. Instead, 30-year-old Adindu simply emailed the companies and asked them to send him the cash.

Well, it wasn’t quite as simple as that. But not far off.

You see, in a BEC scam the criminal sends an email to employees of targeted companies asking that funds be put into bank accounts. A key component for the scam to succeed is for the emails to pretend to come from senior executives within the company, or outside firms that do business with the company.

To make the emails more convincing their email headers can be forged, or they can be sent from domain names that look very similar to the targeted company’s real domain name.

The most sophisticated BEC scammers will actually break into corporate email accounts, discover details of the third-party suppliers who are doing work for the business, and send bogus invoices in their name for the work that has been done – albeit requesting that the funds be put into a bank account under the control of the scammer.

In this way, some companies have been stung for millions and millions of dollars.

Prosecutors told the court that Adindu’s targets included a New York investment firm. In June 2015 an employee at the unnamed firm received an email claiming to come from an investment adviser at another firm, requesting a US $25,200 wire transfer.

Only after the funds had been transferred did the employee learn that the email was fraudulent, and not from the adviser at all. As a result, they did not comply with a request for a subsequent transfer of US $75,100.